The vulnerability allows users with tag‑editing permissions to edit or synonymize tags that are hidden within restricted tag groups, even when those users cannot see the tags. This undermines the intended visibility restrictions and could enable malicious users to re‑categorize or otherwise manipulate content in a way that bypasses moderation controls. The compromise is limited to the integrity of tag data and the integrity of content classification, and the CVSS score of 3.5 reflects a moderate impact.

All installations of the Discourse forum software running the 2026.3.0 through the most recent 2026.3.0‑latest.1 build, or the 2026.2.1 and 2026.1.2 releases are affected. Affected releases can be identified by their version numbers. The patch is included in the 2026.3.0‑latest.1 build and the corresponding 2026.2.1 and 2026.1.2 releases.

With a CVSS score of 3.5, the vulnerability is considered moderate. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the issue is not listed in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog. An attacker only needs a legitimate account that has been granted tag‑editing privileges; once that permission is available, the attacker can modify hidden tags without needing additional authentication or system-level access. The exploitation path is straightforward once the privilege is in place, but the overall risk remains low due to the specialized role required for the attack.